Data and securityGDPRAre physical documents the ultimate GDPR gotcha?

Are physical documents the ultimate GDPR gotcha?

Joe Doyle from KYOCERA outlines why it is vital that public sector organisations learn how to stay cautious about physical data breaches so they’re not forced to suffer the consequences of failing to meet GDPR requirements

After what feels like years of build up, GDPR D-day has come and gone. 

In preparation, you probably identified every piece of sensitive data on your network. You’ve carefully issued swipe cards and assessed authorised privileges, instituting a GDPR-compliant process for every possible eventuality. You’ve even brought in the GDPR legal eagles who’ve given you a clean bill of health.

You’re in the clear. Or so you think…

As with any regulation, there are always blind spots and grey areas. While you’ve most likely given more than enough airtime to ensuring your digital data is fully compliant, you definitely wouldn’t be the only company to have failed to give as much attention to its physical counterpart.

Picture this scenario: despite your organisation spending a significant chunk of your budget on becoming GDPR compliant, a member of your team leaves a print-out of an entire customer database hanging out of the office recycling bin. While it may just look like a bit of a mess, this could actually constitute a breach of compliance with the ability to inflict financial or legal punishment.

GDPR is more than just technology

Paper documents have become the glaring blindspot in every GDPR plan. Any organisation’s compliance strategy is torn to shreds once users disengage with the whole purpose behind data privacy and treat prints and scans without the sensitivity they demand.

After all, physical data has the ability to spread its way across the office as fast as an internal email. Here are four very possible scenarios that could leave you open to a breach:

Scenario 1:

At the end of a meeting in a shared conference room, attendees leave with their used mugs and print-outs left on the table, leaving confidential and personal data open to a breach.

Scenario 2:

A few employees are behind on their office chores resulting in an overflow of paper from the recycling bins. Due to ineffective recycling, a GDPR breach has occurred.

Scenario 3:

Someone in the finance department has printed a list of debtors, but got distracted by a phone call before they had chance to pick it up from the device. This is bad practice, before you bring GDPR into the mix.

Back to basics

According to the vagaries of GDPR, each of these scenarios change the status of a document from being securely held under a compliant process to being a ‘public document’. And that, in turn, drastically alters the compliance status of the organisation responsible.

Okay, the examples above may involve simple human error. However, although these errors are minor, they can result in major penalties, including the much touted fine up to 4% of your annual turnover.

It’s worth putting GDPR to one side for a moment and considering that breaches like this should not happen regardless of compliance requirements. Individuals are entitled to have their personal data treated sensitively and confidentially, and leaving pieces of paper lying around very obviously flies in the face of that.

So what can you do?

The mitigation is more than just staff awareness or even training. Awareness allows an easy ‘get-out’ from people’s innate sense of responsibility. The key is to foster sensitivity to the issue and define processes that all individuals consciously engage with. These processes, when documented, support the achievement of GDPR compliance, and demonstrate a commitment to best practice even if something does go wrong in the future.

We’d also advise you to add to these processes with greater control over what comes out of devices. When configured correctly, print management solutions such as KYOCERA Net Manager and MyQ can provide a ‘state of the art’ technology to ensure documents are secure and not left at a device unattended. As well as user access, such solutions can also automate document storage and deletion and provide full audit trails of what the device has been used for.

As a technology provider, even we recognise that technology only gets you so far. Your people and culture are your ultimate defence against any threat to data protection or privacy, and fully addressing this need could be your best GDPR investment.

Don’t just take our word for it though, especially as this article doesn’t constitute legal advice. That can be found with GDPR law subject experts, and for further information you should refer to the Information Commissioner’s Office.

About the author

Joe Doyle joined the KYOCERA group in July 2018 as Group Marketing Director and has over 20 years of business-to-business marketing experience across telecoms, technology and business process outsourcing.

Joe was previously Marketing Director at Annodata, and prior to that held the role of Vice President of Global Marketing at Sitel, one of the world’s largest BPOs. Joe has also held senior roles in companies including Azzurri Communications, Npower, Kingston Communications and Cable & Wireless.

Joe has provided thought leadership and best-practice advice via countless magazine and online publications as well as speaking at numerous events in both Europe and the US.

Related Articles

GDPR prompts public sector organisations to evolve IT policies

GDPR GDPR prompts public sector organisations to evolve IT policies

1m Austin Clark
Identifying specific needs and engaging local communities key to success of smart cities

Data Protection Identifying specific needs and engaging local communities key to success of smart cities

2m Austin Clark
Housing associations collaborate around cyber awareness

Cyber Security Housing associations collaborate around cyber awareness

3m Austin Clark
What does GDPR mean for local councils?

GDPR What does GDPR mean for local councils?

3m Guest Writer
Getting ready for GDPR – lessons from the front line of preparation

Change Management Getting ready for GDPR – lessons from the front line of preparation

5m Guest Writer
Employee change management projects should put the trust in IT

Change Management Employee change management projects should put the trust in IT

5m Guest Writer
Partnership approach to GDPR saves Scottish councils

5G & Mobile Partnership approach to GDPR saves Scottish councils

6m Austin Clark
GDPR – a defensible position

Cyber Security GDPR – a defensible position

6m Guest Writer